From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 10:04:09 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.7~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2031f2b035a5f71e7e815c5ec6800db261512078;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch dm-crypt-don-t-decrease-device-limits.patch dm-integrity-change-suspending-variable-from-bool-to-int.patch dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch eventpoll.h-wrap-casts-in-properly.patch extcon-release-locking-when-sending-the-notification-of-connector-state.patch iio-ad9523-fix-displayed-phase.patch iio-ad9523-fix-return-value-for-ad952x_store.patch iio-sca3000-fix-missing-return-in-switch.patch livepatch-validate-module-old-func-name-length.patch mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch overflow.h-add-arithmetic-shift-helper.patch ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch printk-tracing-do-not-trace-printk_nmi_enter.patch rtc-omap-fix-potential-crash-on-power-off.patch rtc-omap-fix-resource-leak-in-registration-error-path.patch tracing-blktrace-fix-to-allow-setting-same-value.patch tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch uart-fix-race-between-uart_put_char-and-uart_shutdown.patch uprobes-use-synchronize_rcu-not-synchronize_sched.patch vmw_balloon-do-not-use-2mb-without-batching.patch vmw_balloon-fix-inflation-of-64-bit-gfns.patch vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch vmw_balloon-vmci_doorbell_set-does-not-check-status.patch --- diff --git a/queue-4.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch b/queue-4.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch new file mode 100644 index 00000000000..46a56dffbb3 --- /dev/null +++ b/queue-4.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch @@ -0,0 +1,53 @@ +From fd2fa95416188a767a63979296fa3e169a9ef5ec Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 2 Aug 2018 16:08:52 -0400 +Subject: dm cache metadata: save in-core policy_hint_size to on-disk superblock + +From: Mike Snitzer + +commit fd2fa95416188a767a63979296fa3e169a9ef5ec upstream. + +policy_hint_size starts as 0 during __write_initial_superblock(). It +isn't until the policy is loaded that policy_hint_size is set in-core +(cmd->policy_hint_size). But it never got recorded in the on-disk +superblock because __commit_transaction() didn't deal with transfering +the in-core cmd->policy_hint_size to the on-disk superblock. + +The in-core cmd->policy_hint_size gets initialized by metadata_open()'s +__begin_transaction_flags() which re-reads all superblock fields. +Because the superblock's policy_hint_size was never properly stored, when +the cache was created, hints_array_available() would always return false +when re-activating a previously created cache. This means +__load_mappings() always considered the hints invalid and never made use +of the hints (these hints served to optimize). + +Another detremental side-effect of this oversight is the cache_check +utility would fail with: "invalid hint width: 0" + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -363,7 +363,7 @@ static int __write_initial_superblock(st + disk_super->version = cpu_to_le32(cmd->version); + memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name)); + memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version)); +- disk_super->policy_hint_size = 0; ++ disk_super->policy_hint_size = cpu_to_le32(0); + + __copy_sm_root(cmd, disk_super); + +@@ -701,6 +701,7 @@ static int __commit_transaction(struct d + disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]); + disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]); + disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]); ++ disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size); + + disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits); + disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses); diff --git a/queue-4.18/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch b/queue-4.18/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch new file mode 100644 index 00000000000..ba1caba37cb --- /dev/null +++ b/queue-4.18/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch @@ -0,0 +1,127 @@ +From 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 9 Aug 2018 12:38:28 +0200 +Subject: dm cache metadata: set dirty on all cache blocks after a crash + +From: Ilya Dryomov + +commit 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 upstream. + +Quoting Documentation/device-mapper/cache.txt: + + The 'dirty' state for a cache block changes far too frequently for us + to keep updating it on the fly. So we treat it as a hint. In normal + operation it will be written when the dm device is suspended. If the + system crashes all cache blocks will be assumed dirty when restarted. + +This got broken in commit f177940a8091 ("dm cache metadata: switch to +using the new cursor api for loading metadata") in 4.9, which removed +the code that consulted cmd->clean_when_opened (CLEAN_SHUTDOWN on-disk +flag) when loading cache blocks. This results in data corruption on an +unclean shutdown with dirty cache blocks on the fast device. After the +crash those blocks are considered clean and may get evicted from the +cache at any time. This can be demonstrated by doing a lot of reads +to trigger individual evictions, but uncache is more predictable: + + ### Disable auto-activation in lvm.conf to be able to do uncache in + ### time (i.e. see uncache doing flushing) when the fix is applied. + + # xfs_io -d -c 'pwrite -b 4M -S 0xaa 0 1G' /dev/vdb + # vgcreate vg_cache /dev/vdb /dev/vdc + # lvcreate -L 1G -n lv_slowdev vg_cache /dev/vdb + # lvcreate -L 512M -n lv_cachedev vg_cache /dev/vdc + # lvcreate -L 256M -n lv_metadev vg_cache /dev/vdc + # lvconvert --type cache-pool --cachemode writeback vg_cache/lv_cachedev --poolmetadata vg_cache/lv_metadev + # lvconvert --type cache vg_cache/lv_slowdev --cachepool vg_cache/lv_cachedev + # xfs_io -d -c 'pwrite -b 4M -S 0xbb 0 512M' /dev/mapper/vg_cache-lv_slowdev + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # dmsetup status vg_cache-lv_slowdev + 0 2097152 cache 8 27/65536 128 8192/8192 1 100 0 0 0 8192 7065 2 metadata2 writeback 2 migration_threshold 2048 smq 0 rw - + ^^^^ + 7065 * 64k = 441M yet to be written to the slow device + # echo b >/proc/sysrq-trigger + + # vgchange -ay vg_cache + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # lvconvert --uncache vg_cache/lv_slowdev + Flushing 0 blocks for cache vg_cache/lv_slowdev. + Logical volume "lv_cachedev" successfully removed + Logical volume vg_cache/lv_slowdev is not cached. + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................ + 0fe00010: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................ + +This is the case with both v1 and v2 cache pool metatata formats. + +After applying this patch: + + # vgchange -ay vg_cache + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # lvconvert --uncache vg_cache/lv_slowdev + Flushing 3724 blocks for cache vg_cache/lv_slowdev. + ... + Flushing 71 blocks for cache vg_cache/lv_slowdev. + Logical volume "lv_cachedev" successfully removed + Logical volume vg_cache/lv_slowdev is not cached. + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + +Cc: stable@vger.kernel.org +Fixes: f177940a8091 ("dm cache metadata: switch to using the new cursor api for loading metadata") +Signed-off-by: Ilya Dryomov +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -1323,6 +1323,7 @@ static int __load_mapping_v1(struct dm_c + + dm_oblock_t oblock; + unsigned flags; ++ bool dirty = true; + + dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le); + memcpy(&mapping, mapping_value_le, sizeof(mapping)); +@@ -1333,8 +1334,10 @@ static int __load_mapping_v1(struct dm_c + dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le); + memcpy(&hint, hint_value_le, sizeof(hint)); + } ++ if (cmd->clean_when_opened) ++ dirty = flags & M_DIRTY; + +- r = fn(context, oblock, to_cblock(cb), flags & M_DIRTY, ++ r = fn(context, oblock, to_cblock(cb), dirty, + le32_to_cpu(hint), hints_valid); + if (r) { + DMERR("policy couldn't load cache block %llu", +@@ -1362,7 +1365,7 @@ static int __load_mapping_v2(struct dm_c + + dm_oblock_t oblock; + unsigned flags; +- bool dirty; ++ bool dirty = true; + + dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le); + memcpy(&mapping, mapping_value_le, sizeof(mapping)); +@@ -1373,8 +1376,9 @@ static int __load_mapping_v2(struct dm_c + dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le); + memcpy(&hint, hint_value_le, sizeof(hint)); + } ++ if (cmd->clean_when_opened) ++ dirty = dm_bitset_cursor_get_value(dirty_cursor); + +- dirty = dm_bitset_cursor_get_value(dirty_cursor); + r = fn(context, oblock, to_cblock(cb), dirty, + le32_to_cpu(hint), hints_valid); + if (r) { diff --git a/queue-4.18/dm-crypt-don-t-decrease-device-limits.patch b/queue-4.18/dm-crypt-don-t-decrease-device-limits.patch new file mode 100644 index 00000000000..cec58f47f5f --- /dev/null +++ b/queue-4.18/dm-crypt-don-t-decrease-device-limits.patch @@ -0,0 +1,44 @@ +From bc9e9cf0401f18e33b78d4c8a518661b8346baf7 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 10 Aug 2018 11:23:56 -0400 +Subject: dm crypt: don't decrease device limits + +From: Mikulas Patocka + +commit bc9e9cf0401f18e33b78d4c8a518661b8346baf7 upstream. + +dm-crypt should only increase device limits, it should not decrease them. + +This fixes a bug where the user could creates a crypt device with 1024 +sector size on the top of scsi device that had 4096 logical block size. +The limit 4096 would be lost and the user could incorrectly send +1024-I/Os to the crypt device. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -3069,11 +3069,11 @@ static void crypt_io_hints(struct dm_tar + */ + limits->max_segment_size = PAGE_SIZE; + +- if (cc->sector_size != (1 << SECTOR_SHIFT)) { +- limits->logical_block_size = cc->sector_size; +- limits->physical_block_size = cc->sector_size; +- blk_limits_io_min(limits, cc->sector_size); +- } ++ limits->logical_block_size = ++ max_t(unsigned short, limits->logical_block_size, cc->sector_size); ++ limits->physical_block_size = ++ max_t(unsigned, limits->physical_block_size, cc->sector_size); ++ limits->io_min = max_t(unsigned, limits->io_min, cc->sector_size); + } + + static struct target_type crypt_target = { diff --git a/queue-4.18/dm-integrity-change-suspending-variable-from-bool-to-int.patch b/queue-4.18/dm-integrity-change-suspending-variable-from-bool-to-int.patch new file mode 100644 index 00000000000..a29b47a0e39 --- /dev/null +++ b/queue-4.18/dm-integrity-change-suspending-variable-from-bool-to-int.patch @@ -0,0 +1,55 @@ +From c21b16392701543d61e366dca84e15fe7f0cf0cf Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 3 Jul 2018 20:13:25 +0200 +Subject: dm integrity: change 'suspending' variable from bool to int + +From: Mikulas Patocka + +commit c21b16392701543d61e366dca84e15fe7f0cf0cf upstream. + +Early alpha processors can't write a byte or short atomically - they +read 8 bytes, modify the byte or two bytes in registers and write back +8 bytes. + +The modification of the variable "suspending" may race with +modification of the variable "failed". Fix this by changing +"suspending" to an int. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -178,7 +178,7 @@ struct dm_integrity_c { + __u8 sectors_per_block; + + unsigned char mode; +- bool suspending; ++ int suspending; + + int failed; + +@@ -2210,7 +2210,7 @@ static void dm_integrity_postsuspend(str + + del_timer_sync(&ic->autocommit_timer); + +- ic->suspending = true; ++ WRITE_ONCE(ic->suspending, 1); + + queue_work(ic->commit_wq, &ic->commit_work); + drain_workqueue(ic->commit_wq); +@@ -2220,7 +2220,7 @@ static void dm_integrity_postsuspend(str + dm_integrity_flush_buffers(ic); + } + +- ic->suspending = false; ++ WRITE_ONCE(ic->suspending, 0); + + BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress)); + diff --git a/queue-4.18/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch b/queue-4.18/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch new file mode 100644 index 00000000000..aae53e03587 --- /dev/null +++ b/queue-4.18/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch @@ -0,0 +1,56 @@ +From 75294442d896f2767be34f75aca7cc2b0d01301f Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Thu, 2 Aug 2018 16:18:24 +0800 +Subject: dm thin: stop no_space_timeout worker when switching to write-mode + +From: Hou Tao + +commit 75294442d896f2767be34f75aca7cc2b0d01301f upstream. + +Now both check_for_space() and do_no_space_timeout() will read & write +pool->pf.error_if_no_space. If these functions run concurrently, as +shown in the following case, the default setting of "queue_if_no_space" +can get lost. + +precondition: + * error_if_no_space = false (aka "queue_if_no_space") + * pool is in Out-of-Data-Space (OODS) mode + * no_space_timeout worker has been queued + +CPU 0: CPU 1: +// delete a thin device +process_delete_mesg() +// check_for_space() invoked by commit() +set_pool_mode(pool, PM_WRITE) + pool->pf.error_if_no_space = \ + pt->requested_pf.error_if_no_space + + // timeout, pool is still in OODS mode + do_no_space_timeout + // "queue_if_no_space" config is lost + pool->pf.error_if_no_space = true + pool->pf.mode = new_mode + +Fix it by stopping no_space_timeout worker when switching to write mode. + +Fixes: bcc696fac11f ("dm thin: stay in out-of-data-space mode once no_space_timeout expires") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2520,6 +2520,8 @@ static void set_pool_mode(struct pool *p + case PM_WRITE: + if (old_mode != new_mode) + notify_of_pool_mode_change(pool, "write"); ++ if (old_mode == PM_OUT_OF_DATA_SPACE) ++ cancel_delayed_work_sync(&pool->no_space_timeout); + pool->out_of_data_space = false; + pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space; + dm_pool_metadata_read_write(pool->pmd); diff --git a/queue-4.18/dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch b/queue-4.18/dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch new file mode 100644 index 00000000000..0867650e7ca --- /dev/null +++ b/queue-4.18/dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch @@ -0,0 +1,37 @@ +From 1e1132ea21da6d7be92a72195204379c819cb70b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 16 Aug 2018 12:23:19 -0400 +Subject: dm writecache: fix a crash due to reading past end of dirty_bitmap + +From: Mikulas Patocka + +commit 1e1132ea21da6d7be92a72195204379c819cb70b upstream. + +wc->dirty_bitmap_size is in bytes so must multiply it by 8, not by +BITS_PER_LONG, to get number of bitmap_bits. + +Fixes crash in find_next_bit() that was reported: +https://bugzilla.kernel.org/show_bug.cgi?id=200819 + +Reported-by: edo.rus@gmail.com +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18 +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -457,7 +457,7 @@ static void ssd_commit_flushed(struct dm + COMPLETION_INITIALIZER_ONSTACK(endio.c), + ATOMIC_INIT(1), + }; +- unsigned bitmap_bits = wc->dirty_bitmap_size * BITS_PER_LONG; ++ unsigned bitmap_bits = wc->dirty_bitmap_size * 8; + unsigned i = 0; + + while (1) { diff --git a/queue-4.18/drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch b/queue-4.18/drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch new file mode 100644 index 00000000000..e38b2c06f53 --- /dev/null +++ b/queue-4.18/drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch @@ -0,0 +1,40 @@ +From 50229128727f7e11840ca1b2b501f880818d56b6 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Tue, 5 Jun 2018 13:37:52 -0700 +Subject: Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() + +From: Dexuan Cui + +commit 50229128727f7e11840ca1b2b501f880818d56b6 upstream. + +I didn't really hit a real bug, but just happened to spot the bug: +we have decreased the counter at the beginning of vmbus_process_offer(), +so we mustn't decrease it again. + +Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues") +Signed-off-by: Dexuan Cui +Cc: stable@vger.kernel.org +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Cc: Stable # 4.14 and above +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel_mgmt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -527,10 +527,8 @@ static void vmbus_process_offer(struct v + struct hv_device *dev + = newchannel->primary_channel->device_obj; + +- if (vmbus_add_channel_kobj(dev, newchannel)) { +- atomic_dec(&vmbus_connection.offer_in_progress); ++ if (vmbus_add_channel_kobj(dev, newchannel)) + goto err_free_chan; +- } + + if (channel->sc_creation_callback != NULL) + channel->sc_creation_callback(newchannel); diff --git a/queue-4.18/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch b/queue-4.18/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch new file mode 100644 index 00000000000..e18649b5e1e --- /dev/null +++ b/queue-4.18/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch @@ -0,0 +1,134 @@ +From d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Thu, 2 Aug 2018 03:08:23 +0000 +Subject: Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() + +From: Dexuan Cui + +commit d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb upstream. + +Before setting channel->rescind in vmbus_rescind_cleanup(), we should make +sure the channel callback won't run any more, otherwise a high-level +driver like pci_hyperv, which may be infinitely waiting for the host VSP's +response and notices the channel has been rescinded, can't safely give +up: e.g., in hv_pci_protocol_negotiation() -> wait_for_response(), it's +unsafe to exit from wait_for_response() and proceed with the on-stack +variable "comp_pkt" popped. The issue was originally spotted by +Michael Kelley . + +In vmbus_close_internal(), the patch also minimizes the range protected by +disabling/enabling channel->callback_event: we don't really need that for +the whole function. + +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Cc: K. Y. Srinivasan +Cc: Stephen Hemminger +Cc: Michael Kelley +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 40 ++++++++++++++++++++++++---------------- + drivers/hv/channel_mgmt.c | 6 ++++++ + include/linux/hyperv.h | 2 ++ + 3 files changed, 32 insertions(+), 16 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -558,11 +558,8 @@ static void reset_channel_cb(void *arg) + channel->onchannel_callback = NULL; + } + +-static int vmbus_close_internal(struct vmbus_channel *channel) ++void vmbus_reset_channel_cb(struct vmbus_channel *channel) + { +- struct vmbus_channel_close_channel *msg; +- int ret; +- + /* + * vmbus_on_event(), running in the per-channel tasklet, can race + * with vmbus_close_internal() in the case of SMP guest, e.g., when +@@ -572,6 +569,29 @@ static int vmbus_close_internal(struct v + */ + tasklet_disable(&channel->callback_event); + ++ channel->sc_creation_callback = NULL; ++ ++ /* Stop the callback asap */ ++ if (channel->target_cpu != get_cpu()) { ++ put_cpu(); ++ smp_call_function_single(channel->target_cpu, reset_channel_cb, ++ channel, true); ++ } else { ++ reset_channel_cb(channel); ++ put_cpu(); ++ } ++ ++ /* Re-enable tasklet for use on re-open */ ++ tasklet_enable(&channel->callback_event); ++} ++ ++static int vmbus_close_internal(struct vmbus_channel *channel) ++{ ++ struct vmbus_channel_close_channel *msg; ++ int ret; ++ ++ vmbus_reset_channel_cb(channel); ++ + /* + * In case a device driver's probe() fails (e.g., + * util_probe() -> vmbus_open() returns -ENOMEM) and the device is +@@ -585,16 +605,6 @@ static int vmbus_close_internal(struct v + } + + channel->state = CHANNEL_OPEN_STATE; +- channel->sc_creation_callback = NULL; +- /* Stop callback and cancel the timer asap */ +- if (channel->target_cpu != get_cpu()) { +- put_cpu(); +- smp_call_function_single(channel->target_cpu, reset_channel_cb, +- channel, true); +- } else { +- reset_channel_cb(channel); +- put_cpu(); +- } + + /* Send a closing message */ + +@@ -639,8 +649,6 @@ static int vmbus_close_internal(struct v + get_order(channel->ringbuffer_pagecount * PAGE_SIZE)); + + out: +- /* re-enable tasklet for use on re-open */ +- tasklet_enable(&channel->callback_event); + return ret; + } + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -893,6 +893,12 @@ static void vmbus_onoffer_rescind(struct + } + + /* ++ * Before setting channel->rescind in vmbus_rescind_cleanup(), we ++ * should make sure the channel callback is not running any more. ++ */ ++ vmbus_reset_channel_cb(channel); ++ ++ /* + * Now wait for offer handling to complete. + */ + vmbus_rescind_cleanup(channel); +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1046,6 +1046,8 @@ extern int vmbus_establish_gpadl(struct + extern int vmbus_teardown_gpadl(struct vmbus_channel *channel, + u32 gpadl_handle); + ++void vmbus_reset_channel_cb(struct vmbus_channel *channel); ++ + extern int vmbus_recvpacket(struct vmbus_channel *channel, + void *buffer, + u32 bufferlen, diff --git a/queue-4.18/eventpoll.h-wrap-casts-in-properly.patch b/queue-4.18/eventpoll.h-wrap-casts-in-properly.patch new file mode 100644 index 00000000000..d812e17c76b --- /dev/null +++ b/queue-4.18/eventpoll.h-wrap-casts-in-properly.patch @@ -0,0 +1,57 @@ +From 45cd74cb5061781e793a098c420a7f548fdc9e7d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 10 Jul 2018 17:15:38 +0200 +Subject: eventpoll.h: wrap casts in () properly + +From: Greg Kroah-Hartman + +commit 45cd74cb5061781e793a098c420a7f548fdc9e7d upstream. + +When importing the latest copy of the kernel headers into Bionic, +Christpher and Elliott noticed that the eventpoll.h casts were not +wrapped in (). As it is, clang complains about macros without +surrounding (), so this makes it a pain for userspace tools. + +So fix it up by adding another () pair, and make them line up purty by +using tabs. + +Fixes: 65aaf87b3aa2 ("add EPOLLNVAL, annotate EPOLL... and event_poll->event") +Reported-by: Christopher Ferris +Reported-by: Elliott Hughes +Cc: stable +Cc: Thomas Gleixner +Cc: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/eventpoll.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/uapi/linux/eventpoll.h ++++ b/include/uapi/linux/eventpoll.h +@@ -42,7 +42,7 @@ + #define EPOLLRDHUP (__force __poll_t)0x00002000 + + /* Set exclusive wakeup mode for the target file descriptor */ +-#define EPOLLEXCLUSIVE (__force __poll_t)(1U << 28) ++#define EPOLLEXCLUSIVE ((__force __poll_t)(1U << 28)) + + /* + * Request the handling of system wakeup events so as to prevent system suspends +@@ -54,13 +54,13 @@ + * + * Requires CAP_BLOCK_SUSPEND + */ +-#define EPOLLWAKEUP (__force __poll_t)(1U << 29) ++#define EPOLLWAKEUP ((__force __poll_t)(1U << 29)) + + /* Set the One Shot behaviour for the target file descriptor */ +-#define EPOLLONESHOT (__force __poll_t)(1U << 30) ++#define EPOLLONESHOT ((__force __poll_t)(1U << 30)) + + /* Set the Edge Triggered behaviour for the target file descriptor */ +-#define EPOLLET (__force __poll_t)(1U << 31) ++#define EPOLLET ((__force __poll_t)(1U << 31)) + + /* + * On x86-64 make the 64bit structure have the same alignment as the diff --git a/queue-4.18/extcon-release-locking-when-sending-the-notification-of-connector-state.patch b/queue-4.18/extcon-release-locking-when-sending-the-notification-of-connector-state.patch new file mode 100644 index 00000000000..baad364e1c9 --- /dev/null +++ b/queue-4.18/extcon-release-locking-when-sending-the-notification-of-connector-state.patch @@ -0,0 +1,50 @@ +From 8a9dbb779fe882325b9a0238494a7afaff2eb444 Mon Sep 17 00:00:00 2001 +From: Chanwoo Choi +Date: Thu, 14 Jun 2018 11:16:29 +0900 +Subject: extcon: Release locking when sending the notification of connector state + +From: Chanwoo Choi + +commit 8a9dbb779fe882325b9a0238494a7afaff2eb444 upstream. + +Previously, extcon used the spinlock before calling the notifier_call_chain +to prevent the scheduled out of task and to prevent the notification delay. +When spinlock is locked for sending the notification, deadlock issue +occured on the side of extcon consumer device. To fix this issue, +extcon consumer device should always use the work. it is always not +reasonable to use work. + +To fix this issue on extcon consumer device, release locking when sending +the notification of connector state. + +Fixes: ab11af049f88 ("extcon: Add the synchronization extcon APIs to support the notification") +Cc: stable@vger.kernel.org +Cc: Roger Quadros +Cc: Kishon Vijay Abraham I +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/extcon/extcon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -433,8 +433,8 @@ int extcon_sync(struct extcon_dev *edev, + return index; + + spin_lock_irqsave(&edev->lock, flags); +- + state = !!(edev->state & BIT(index)); ++ spin_unlock_irqrestore(&edev->lock, flags); + + /* + * Call functions in a raw notifier chain for the specific one +@@ -448,6 +448,7 @@ int extcon_sync(struct extcon_dev *edev, + */ + raw_notifier_call_chain(&edev->nh_all, state, edev); + ++ spin_lock_irqsave(&edev->lock, flags); + /* This could be in interrupt handler */ + prop_buf = (char *)get_zeroed_page(GFP_ATOMIC); + if (!prop_buf) { diff --git a/queue-4.18/iio-ad9523-fix-displayed-phase.patch b/queue-4.18/iio-ad9523-fix-displayed-phase.patch new file mode 100644 index 00000000000..9bcb8692366 --- /dev/null +++ b/queue-4.18/iio-ad9523-fix-displayed-phase.patch @@ -0,0 +1,36 @@ +From 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 25 Jun 2018 11:03:07 +0300 +Subject: iio: ad9523: Fix displayed phase + +From: Lars-Peter Clausen + +commit 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e upstream. + +Fix the displayed phase for the ad9523 driver. Currently the most +significant decimal place is dropped and all other digits are shifted one +to the left. This is due to a multiplication by 10, which is not necessary, +so remove it. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f9632 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -642,7 +642,7 @@ static int ad9523_read_raw(struct iio_de + code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) / + AD9523_CLK_DIST_DIV_REV(ret); + *val = code / 1000000; +- *val2 = (code % 1000000) * 10; ++ *val2 = code % 1000000; + return IIO_VAL_INT_PLUS_MICRO; + default: + return -EINVAL; diff --git a/queue-4.18/iio-ad9523-fix-return-value-for-ad952x_store.patch b/queue-4.18/iio-ad9523-fix-return-value-for-ad952x_store.patch new file mode 100644 index 00000000000..3abaa07c88e --- /dev/null +++ b/queue-4.18/iio-ad9523-fix-return-value-for-ad952x_store.patch @@ -0,0 +1,40 @@ +From 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 27 Jul 2018 09:42:45 +0300 +Subject: iio: ad9523: Fix return value for ad952x_store() + +From: Lars-Peter Clausen + +commit 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 upstream. + +A sysfs write callback function needs to either return the number of +consumed characters or an error. + +The ad952x_store() function currently returns 0 if the input value was "0", +this will signal that no characters have been consumed and the function +will be called repeatedly in a loop indefinitely. Fix this by returning +number of supplied characters to indicate that the whole input string has +been consumed. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -508,7 +508,7 @@ static ssize_t ad9523_store(struct devic + return ret; + + if (!state) +- return 0; ++ return len; + + mutex_lock(&indio_dev->mlock); + switch ((u32)this_attr->address) { diff --git a/queue-4.18/iio-sca3000-fix-missing-return-in-switch.patch b/queue-4.18/iio-sca3000-fix-missing-return-in-switch.patch new file mode 100644 index 00000000000..4c034414326 --- /dev/null +++ b/queue-4.18/iio-sca3000-fix-missing-return-in-switch.patch @@ -0,0 +1,36 @@ +From c5b974bee9d2ceae4c441ae5a01e498c2674e100 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Sat, 7 Jul 2018 12:44:01 -0500 +Subject: iio: sca3000: Fix missing return in switch + +From: Gustavo A. R. Silva + +commit c5b974bee9d2ceae4c441ae5a01e498c2674e100 upstream. + +The IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY case is missing a +return and will fall through to the default case and errorenously +return -EINVAL. + +Fix this by adding in missing *return ret*. + +Fixes: 626f971b5b07 ("staging:iio:accel:sca3000 Add write support to the low pass filter control") +Reported-by: Jonathan Cameron +Signed-off-by: Gustavo A. R. Silva +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/sca3000.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/sca3000.c ++++ b/drivers/iio/accel/sca3000.c +@@ -797,6 +797,7 @@ static int sca3000_write_raw(struct iio_ + mutex_lock(&st->lock); + ret = sca3000_write_3db_freq(st, val); + mutex_unlock(&st->lock); ++ return ret; + default: + return -EINVAL; + } diff --git a/queue-4.18/livepatch-validate-module-old-func-name-length.patch b/queue-4.18/livepatch-validate-module-old-func-name-length.patch new file mode 100644 index 00000000000..92dd09e3132 --- /dev/null +++ b/queue-4.18/livepatch-validate-module-old-func-name-length.patch @@ -0,0 +1,56 @@ +From 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 Mon Sep 17 00:00:00 2001 +From: Kamalesh Babulal +Date: Fri, 20 Jul 2018 15:16:42 +0530 +Subject: livepatch: Validate module/old func name length + +From: Kamalesh Babulal + +commit 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 upstream. + +livepatch module author can pass module name/old function name with more +than the defined character limit. With obj->name length greater than +MODULE_NAME_LEN, the livepatch module gets loaded but waits forever on +the module specified by obj->name to be loaded. It also populates a /sys +directory with an untruncated object name. + +In the case of funcs->old_name length greater then KSYM_NAME_LEN, it +would not match against any of the symbol table entries. Instead loop +through the symbol table comparing them against a nonexisting function, +which can be avoided. + +The same issues apply, to misspelled/incorrect names. At least gatekeep +the modules with over the limit string length, by checking for their +length during livepatch module registration. + +Cc: stable@vger.kernel.org +Signed-off-by: Kamalesh Babulal +Acked-by: Josh Poimboeuf +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/livepatch/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/livepatch/core.c ++++ b/kernel/livepatch/core.c +@@ -678,6 +678,9 @@ static int klp_init_func(struct klp_obje + if (!func->old_name || !func->new_func) + return -EINVAL; + ++ if (strlen(func->old_name) >= KSYM_NAME_LEN) ++ return -EINVAL; ++ + INIT_LIST_HEAD(&func->stack_node); + func->patched = false; + func->transition = false; +@@ -751,6 +754,9 @@ static int klp_init_object(struct klp_pa + if (!obj->funcs) + return -EINVAL; + ++ if (klp_is_module(obj) && strlen(obj->name) >= MODULE_NAME_LEN) ++ return -EINVAL; ++ + obj->patched = false; + obj->mod = NULL; + diff --git a/queue-4.18/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch b/queue-4.18/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch new file mode 100644 index 00000000000..f2e0b019a00 --- /dev/null +++ b/queue-4.18/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch @@ -0,0 +1,65 @@ +From 6afebb70ee7a4bde106dc1a875e7ac7997248f84 Mon Sep 17 00:00:00 2001 +From: Rafael David Tinoco +Date: Fri, 6 Jul 2018 14:28:33 -0300 +Subject: mfd: hi655x: Fix regmap area declared size for hi655x + +From: Rafael David Tinoco + +commit 6afebb70ee7a4bde106dc1a875e7ac7997248f84 upstream. + +Fixes https://bugs.linaro.org/show_bug.cgi?id=3903 + +LTP Functional tests have caused a bad paging request when triggering +the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading +regmap/f8000000.pmic/registers file during read_all test): + +Unable to handle kernel paging request at virtual address ffff0 +[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0 +Internal error: Oops: 96000007 [#1] SMP +... +Hardware name: HiKey Development Board (DT) +... +Call trace: + regmap_mmio_read8+0x24/0x40 + regmap_mmio_read+0x48/0x70 + _regmap_bus_reg_read+0x38/0x48 + _regmap_read+0x68/0x170 + regmap_read+0x50/0x78 + regmap_read_debugfs+0x1a0/0x308 + regmap_map_read_file+0x48/0x58 + full_proxy_read+0x68/0x98 + __vfs_read+0x48/0x80 + vfs_read+0x94/0x150 + SyS_read+0x6c/0xd8 + el0_svc_naked+0x30/0x34 +Code: aa1e03e0 d503201f f9400280 8b334000 (39400000) + +Investigations have showed that, when triggered by debugfs read() +handler, the mmio regmap logic was reading a bigger (16k) register area +than the one mapped by devm_ioremap_resource() during hi655x-pmic probe +time (4k). + +This commit changes hi655x's max register, according to HW specs, to be +the same as the one declared in the pmic device in hi6220's dts, fixing +the issue. + +Cc: #v4.9 #v4.14 #v4.16 #v4.17 +Signed-off-by: Rafael David Tinoco +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/hi655x-pmic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/hi655x-pmic.c ++++ b/drivers/mfd/hi655x-pmic.c +@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regma + .reg_bits = 32, + .reg_stride = HI655X_STRIDE, + .val_bits = 8, +- .max_register = HI655X_BUS_ADDR(0xFFF), ++ .max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE, + }; + + static struct resource pwrkey_resources[] = { diff --git a/queue-4.18/overflow.h-add-arithmetic-shift-helper.patch b/queue-4.18/overflow.h-add-arithmetic-shift-helper.patch new file mode 100644 index 00000000000..8c0232f264d --- /dev/null +++ b/queue-4.18/overflow.h-add-arithmetic-shift-helper.patch @@ -0,0 +1,62 @@ +From 0c66847793d1982d1083dc6f7adad60fa265ce9c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 1 Aug 2018 14:25:39 -0700 +Subject: overflow.h: Add arithmetic shift helper + +From: Jason Gunthorpe + +commit 0c66847793d1982d1083dc6f7adad60fa265ce9c upstream. + +Add shift_overflow() helper to assist driver authors in ensuring that +shift operations don't cause overflows or other odd conditions. + +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +[kees: tweaked comments and commit log, dropped unneeded assignment] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/overflow.h | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -202,6 +202,37 @@ + + #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ + ++/** check_shl_overflow() - Calculate a left-shifted value and check overflow ++ * ++ * @a: Value to be shifted ++ * @s: How many bits left to shift ++ * @d: Pointer to where to store the result ++ * ++ * Computes *@d = (@a << @s) ++ * ++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't ++ * make sense. Example conditions: ++ * - 'a << s' causes bits to be lost when stored in *d. ++ * - 's' is garbage (e.g. negative) or so large that the result of ++ * 'a << s' is guaranteed to be 0. ++ * - 'a' is negative. ++ * - 'a << s' sets the sign bit, if any, in '*d'. ++ * ++ * '*d' will hold the results of the attempted shift, but is not ++ * considered "safe for use" if false is returned. ++ */ ++#define check_shl_overflow(a, s, d) ({ \ ++ typeof(a) _a = a; \ ++ typeof(s) _s = s; \ ++ typeof(d) _d = d; \ ++ u64 _a_full = _a; \ ++ unsigned int _to_shift = \ ++ _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \ ++ *_d = (_a_full << _to_shift); \ ++ (_to_shift != _s || *_d < 0 || _a < 0 || \ ++ (*_d >> _to_shift) != _a); \ ++}) ++ + /** + * array_size() - Calculate size of 2-dimensional array. + * diff --git a/queue-4.18/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch b/queue-4.18/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch new file mode 100644 index 00000000000..a380c1862d7 --- /dev/null +++ b/queue-4.18/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch @@ -0,0 +1,75 @@ +From 67810693077afc1ebf9e1646af300436cb8103c2 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 17 Jul 2018 16:05:38 +0300 +Subject: ovl: fix wrong use of impure dir cache in ovl_iterate() + +From: Amir Goldstein + +commit 67810693077afc1ebf9e1646af300436cb8103c2 upstream. + +Only upper dir can be impure, but if we are in the middle of +iterating a lower real dir, dir could be copied up and marked +impure. We only want the impure cache if we started iterating +a real upper dir to begin with. + +Aditya Kali reported that the following reproducer hits the +WARN_ON(!cache->refcount) in ovl_get_cache(): + + docker run --rm drupal:8.5.4-fpm-alpine \ + sh -c 'cd /var/www/html/vendor/symfony && \ + chown -R www-data:www-data . && ls -l .' + +Reported-by: Aditya Kali +Tested-by: Aditya Kali +Fixes: 4edb83bb1041 ('ovl: constant d_ino for non-merge dirs') +Cc: # v4.14 +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/readdir.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -668,6 +668,21 @@ static int ovl_fill_real(struct dir_cont + return orig_ctx->actor(orig_ctx, name, namelen, offset, ino, d_type); + } + ++static bool ovl_is_impure_dir(struct file *file) ++{ ++ struct ovl_dir_file *od = file->private_data; ++ struct inode *dir = d_inode(file->f_path.dentry); ++ ++ /* ++ * Only upper dir can be impure, but if we are in the middle of ++ * iterating a lower real dir, dir could be copied up and marked ++ * impure. We only want the impure cache if we started iterating ++ * a real upper dir to begin with. ++ */ ++ return od->is_upper && ovl_test_flag(OVL_IMPURE, dir); ++ ++} ++ + static int ovl_iterate_real(struct file *file, struct dir_context *ctx) + { + int err; +@@ -696,7 +711,7 @@ static int ovl_iterate_real(struct file + rdt.parent_ino = stat.ino; + } + +- if (ovl_test_flag(OVL_IMPURE, d_inode(dir))) { ++ if (ovl_is_impure_dir(file)) { + rdt.cache = ovl_cache_get_impure(&file->f_path); + if (IS_ERR(rdt.cache)) + return PTR_ERR(rdt.cache); +@@ -727,7 +742,7 @@ static int ovl_iterate(struct file *file + */ + if (ovl_xino_bits(dentry->d_sb) || + (ovl_same_sb(dentry->d_sb) && +- (ovl_test_flag(OVL_IMPURE, d_inode(dentry)) || ++ (ovl_is_impure_dir(file) || + OVL_TYPE_MERGE(ovl_path_type(dentry->d_parent))))) { + return ovl_iterate_real(file, ctx); + } diff --git a/queue-4.18/printk-tracing-do-not-trace-printk_nmi_enter.patch b/queue-4.18/printk-tracing-do-not-trace-printk_nmi_enter.patch new file mode 100644 index 00000000000..7b6e75f24fa --- /dev/null +++ b/queue-4.18/printk-tracing-do-not-trace-printk_nmi_enter.patch @@ -0,0 +1,106 @@ +From d1c392c9e2a301f38998a353f467f76414e38725 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 5 Sep 2018 16:29:49 -0400 +Subject: printk/tracing: Do not trace printk_nmi_enter() + +From: Steven Rostedt (VMware) + +commit d1c392c9e2a301f38998a353f467f76414e38725 upstream. + +I hit the following splat in my tests: + +------------[ cut here ]------------ +IRQs not enabled as expected +WARNING: CPU: 3 PID: 0 at kernel/time/tick-sched.c:982 tick_nohz_idle_enter+0x44/0x8c +Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables ipv6 +CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.19.0-rc2-test+ #2 +Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014 +EIP: tick_nohz_idle_enter+0x44/0x8c +Code: ec 05 00 00 00 75 26 83 b8 c0 05 00 00 00 75 1d 80 3d d0 36 3e c1 00 +75 14 68 94 63 12 c1 c6 05 d0 36 3e c1 01 e8 04 ee f8 ff <0f> 0b 58 fa bb a0 +e5 66 c1 e8 25 0f 04 00 64 03 1d 28 31 52 c1 8b +EAX: 0000001c EBX: f26e7f8c ECX: 00000006 EDX: 00000007 +ESI: f26dd1c0 EDI: 00000000 EBP: f26e7f40 ESP: f26e7f38 +DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010296 +CR0: 80050033 CR2: 0813c6b0 CR3: 2f342000 CR4: 001406f0 +Call Trace: + do_idle+0x33/0x202 + cpu_startup_entry+0x61/0x63 + start_secondary+0x18e/0x1ed + startup_32_smp+0x164/0x168 +irq event stamp: 18773830 +hardirqs last enabled at (18773829): [] trace_hardirqs_on_thunk+0xc/0x10 +hardirqs last disabled at (18773830): [] trace_hardirqs_off_thunk+0xc/0x10 +softirqs last enabled at (18773824): [] __do_softirq+0x25f/0x2bf +softirqs last disabled at (18773767): [] call_on_stack+0x45/0x4b +---[ end trace b7c64aa79e17954a ]--- + +After a bit of debugging, I found what was happening. This would trigger +when performing "perf" with a high NMI interrupt rate, while enabling and +disabling function tracer. Ftrace uses breakpoints to convert the nops at +the start of functions to calls to the function trampolines. The breakpoint +traps disable interrupts and this makes calls into lockdep via the +trace_hardirqs_off_thunk in the entry.S code. What happens is the following: + + do_idle { + + [interrupts enabled] + + [interrupts disabled] + TRACE_IRQS_OFF [lockdep says irqs off] + [...] + TRACE_IRQS_IRET + test if pt_regs say return to interrupts enabled [yes] + TRACE_IRQS_ON [lockdep says irqs are on] + + + nmi_enter() { + printk_nmi_enter() [traced by ftrace] + [ hit ftrace breakpoint ] + + TRACE_IRQS_OFF [lockdep says irqs off] + [...] + TRACE_IRQS_IRET [return from breakpoint] + test if pt_regs say interrupts enabled [no] + [iret back to interrupt] + [iret back to code] + + tick_nohz_idle_enter() { + + lockdep_assert_irqs_enabled() [lockdep say no!] + +Although interrupts are indeed enabled, lockdep thinks it is not, and since +we now do asserts via lockdep, it gives a false warning. The issue here is +that printk_nmi_enter() is called before lockdep_off(), which disables +lockdep (for this reason) in NMIs. By simply not allowing ftrace to see +printk_nmi_enter() (via notrace annotation) we keep lockdep from getting +confused. + +Cc: stable@vger.kernel.org +Fixes: 42a0bb3f71383 ("printk/nmi: generic solution for safe printk in NMI") +Acked-by: Sergey Senozhatsky +Acked-by: Petr Mladek +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk_safe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/printk/printk_safe.c ++++ b/kernel/printk/printk_safe.c +@@ -306,12 +306,12 @@ static __printf(1, 0) int vprintk_nmi(co + return printk_safe_log_store(s, fmt, args); + } + +-void printk_nmi_enter(void) ++void notrace printk_nmi_enter(void) + { + this_cpu_or(printk_context, PRINTK_NMI_CONTEXT_MASK); + } + +-void printk_nmi_exit(void) ++void notrace printk_nmi_exit(void) + { + this_cpu_and(printk_context, ~PRINTK_NMI_CONTEXT_MASK); + } diff --git a/queue-4.18/rtc-omap-fix-potential-crash-on-power-off.patch b/queue-4.18/rtc-omap-fix-potential-crash-on-power-off.patch new file mode 100644 index 00000000000..60896f59ac2 --- /dev/null +++ b/queue-4.18/rtc-omap-fix-potential-crash-on-power-off.patch @@ -0,0 +1,57 @@ +From 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jul 2018 11:05:55 +0200 +Subject: rtc: omap: fix potential crash on power off + +From: Johan Hovold + +commit 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b upstream. + +Do not set the system power-off callback and omap power-off rtc pointer +until we're done setting up our device to avoid leaving stale pointers +around after a late probe error. + +Fixes: 97ea1906b3c2 ("rtc: omap: Support ext_wakeup configuration") +Cc: stable # 4.9 +Cc: Marcin Niestroj +Cc: Tony Lindgren +Signed-off-by: Johan Hovold +Acked-by: Tony Lindgren +Reviewed-by: Marcin Niestroj +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-omap.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-omap.c ++++ b/drivers/rtc/rtc-omap.c +@@ -861,13 +861,6 @@ static int omap_rtc_probe(struct platfor + goto err; + } + +- if (rtc->is_pmic_controller) { +- if (!pm_power_off) { +- omap_rtc_power_off_rtc = rtc; +- pm_power_off = omap_rtc_power_off; +- } +- } +- + /* Support ext_wakeup pinconf */ + rtc_pinctrl_desc.name = dev_name(&pdev->dev); + +@@ -884,6 +877,13 @@ static int omap_rtc_probe(struct platfor + + rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config); + ++ if (rtc->is_pmic_controller) { ++ if (!pm_power_off) { ++ omap_rtc_power_off_rtc = rtc; ++ pm_power_off = omap_rtc_power_off; ++ } ++ } ++ + return 0; + + err_deregister_pinctrl: diff --git a/queue-4.18/rtc-omap-fix-resource-leak-in-registration-error-path.patch b/queue-4.18/rtc-omap-fix-resource-leak-in-registration-error-path.patch new file mode 100644 index 00000000000..021b6c13c43 --- /dev/null +++ b/queue-4.18/rtc-omap-fix-resource-leak-in-registration-error-path.patch @@ -0,0 +1,41 @@ +From 551757eb052986ec81cebcc6301cc1c4f8dca938 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jul 2018 11:05:56 +0200 +Subject: rtc: omap: fix resource leak in registration error path + +From: Johan Hovold + +commit 551757eb052986ec81cebcc6301cc1c4f8dca938 upstream. + +Make sure to deregister the pin controller in case rtc registration +fails. + +Fixes: 57072758623f ("rtc: omap: switch to rtc_register_device") +Cc: stable # 4.14 +Cc: Alexandre Belloni +Signed-off-by: Johan Hovold +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-omap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-omap.c ++++ b/drivers/rtc/rtc-omap.c +@@ -880,12 +880,14 @@ static int omap_rtc_probe(struct platfor + + ret = rtc_register_device(rtc->rtc); + if (ret) +- goto err; ++ goto err_deregister_pinctrl; + + rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config); + + return 0; + ++err_deregister_pinctrl: ++ pinctrl_unregister(rtc->pctldev); + err: + clk_disable_unprepare(rtc->clk); + device_init_wakeup(&pdev->dev, false); diff --git a/queue-4.18/series b/queue-4.18/series index 9d53011ee82..7d31ff8226c 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -42,6 +42,7 @@ ib-mlx5-fix-leaking-stack-memory-to-userspace.patch ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch ib-srpt-support-hcas-with-more-than-two-ports.patch +overflow.h-add-arithmetic-shift-helper.patch rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch @@ -51,3 +52,30 @@ fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch 9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch net-9p-client.c-version-pointer-uninitialized.patch net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch +dm-integrity-change-suspending-variable-from-bool-to-int.patch +dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch +dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch +dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch +dm-crypt-don-t-decrease-device-limits.patch +dm-writecache-fix-a-crash-due-to-reading-past-end-of-dirty_bitmap.patch +uart-fix-race-between-uart_put_char-and-uart_shutdown.patch +drivers-hv-vmbus-fix-the-offer_in_progress-in-vmbus_process_offer.patch +drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch +iio-sca3000-fix-missing-return-in-switch.patch +iio-ad9523-fix-displayed-phase.patch +iio-ad9523-fix-return-value-for-ad952x_store.patch +extcon-release-locking-when-sending-the-notification-of-connector-state.patch +eventpoll.h-wrap-casts-in-properly.patch +vmw_balloon-fix-inflation-of-64-bit-gfns.patch +vmw_balloon-do-not-use-2mb-without-batching.patch +vmw_balloon-vmci_doorbell_set-does-not-check-status.patch +vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch +rtc-omap-fix-resource-leak-in-registration-error-path.patch +rtc-omap-fix-potential-crash-on-power-off.patch +tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch +tracing-blktrace-fix-to-allow-setting-same-value.patch +printk-tracing-do-not-trace-printk_nmi_enter.patch +livepatch-validate-module-old-func-name-length.patch +uprobes-use-synchronize_rcu-not-synchronize_sched.patch +mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch +ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch diff --git a/queue-4.18/tracing-blktrace-fix-to-allow-setting-same-value.patch b/queue-4.18/tracing-blktrace-fix-to-allow-setting-same-value.patch new file mode 100644 index 00000000000..838e30c75ba --- /dev/null +++ b/queue-4.18/tracing-blktrace-fix-to-allow-setting-same-value.patch @@ -0,0 +1,63 @@ +From 757d9140072054528b13bbe291583d9823cde195 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 16 Aug 2018 16:08:37 -0400 +Subject: tracing/blktrace: Fix to allow setting same value + +From: Steven Rostedt (VMware) + +commit 757d9140072054528b13bbe291583d9823cde195 upstream. + +Masami Hiramatsu reported: + + Current trace-enable attribute in sysfs returns an error + if user writes the same setting value as current one, + e.g. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + bash: echo: write error: Invalid argument + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + bash: echo: write error: Device or resource busy + + But this is not a preferred behavior, it should ignore + if new setting is same as current one. This fixes the + problem as below. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + +Link: http://lkml.kernel.org/r/20180816103802.08678002@gandalf.local.home + +Cc: Ingo Molnar +Cc: Jens Axboe +Cc: linux-block@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: cd649b8bb830d ("blktrace: remove sysfs_blk_trace_enable_show/store()") +Reported-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/blktrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1841,6 +1841,10 @@ static ssize_t sysfs_blk_trace_attr_stor + mutex_lock(&q->blk_trace_mutex); + + if (attr == &dev_attr_enable) { ++ if (!!value == !!q->blk_trace) { ++ ret = 0; ++ goto out_unlock_bdev; ++ } + if (value) + ret = blk_trace_setup_queue(q, bdev); + else diff --git a/queue-4.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch b/queue-4.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch new file mode 100644 index 00000000000..d031592fdf7 --- /dev/null +++ b/queue-4.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch @@ -0,0 +1,41 @@ +From f143641bfef9a4a60c57af30de26c63057e7e695 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 1 Aug 2018 15:40:57 -0400 +Subject: tracing: Do not call start/stop() functions when tracing_on does not change + +From: Steven Rostedt (VMware) + +commit f143641bfef9a4a60c57af30de26c63057e7e695 upstream. + +Currently, when one echo's in 1 into tracing_on, the current tracer's +"start()" function is executed, even if tracing_on was already one. This can +lead to strange side effects. One being that if the hwlat tracer is enabled, +and someone does "echo 1 > tracing_on" into tracing_on, the hwlat tracer's +start() function is called again which will recreate another kernel thread, +and make it unable to remove the old one. + +Link: http://lkml.kernel.org/r/1533120354-22923-1-git-send-email-erica.bugden@linutronix.de + +Cc: stable@vger.kernel.org +Fixes: 2df8f8a6a897e ("tracing: Fix regression with irqsoff tracer and tracing_on file") +Reported-by: Erica Bugden +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7628,7 +7628,9 @@ rb_simple_write(struct file *filp, const + + if (buffer) { + mutex_lock(&trace_types_lock); +- if (val) { ++ if (!!val == tracer_tracing_is_on(tr)) { ++ val = 0; /* do nothing */ ++ } else if (val) { + tracer_tracing_on(tr); + if (tr->current_trace->start) + tr->current_trace->start(tr); diff --git a/queue-4.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch b/queue-4.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch new file mode 100644 index 00000000000..829215032bf --- /dev/null +++ b/queue-4.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch @@ -0,0 +1,186 @@ +From a5ba1d95e46ecaea638ddd7cd144107c783acb5d Mon Sep 17 00:00:00 2001 +From: Tycho Andersen +Date: Fri, 6 Jul 2018 10:24:57 -0600 +Subject: uart: fix race between uart_put_char() and uart_shutdown() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tycho Andersen + +commit a5ba1d95e46ecaea638ddd7cd144107c783acb5d upstream. + +We have reports of the following crash: + + PID: 7 TASK: ffff88085c6d61c0 CPU: 1 COMMAND: "kworker/u25:0" + #0 [ffff88085c6db710] machine_kexec at ffffffff81046239 + #1 [ffff88085c6db760] crash_kexec at ffffffff810fc248 + #2 [ffff88085c6db830] oops_end at ffffffff81008ae7 + #3 [ffff88085c6db860] no_context at ffffffff81050b8f + #4 [ffff88085c6db8b0] __bad_area_nosemaphore at ffffffff81050d75 + #5 [ffff88085c6db900] bad_area_nosemaphore at ffffffff81050e83 + #6 [ffff88085c6db910] __do_page_fault at ffffffff8105132e + #7 [ffff88085c6db9b0] do_page_fault at ffffffff8105152c + #8 [ffff88085c6db9c0] page_fault at ffffffff81a3f122 + [exception RIP: uart_put_char+149] + RIP: ffffffff814b67b5 RSP: ffff88085c6dba78 RFLAGS: 00010006 + RAX: 0000000000000292 RBX: ffffffff827c5120 RCX: 0000000000000081 + RDX: 0000000000000000 RSI: 000000000000005f RDI: ffffffff827c5120 + RBP: ffff88085c6dba98 R8: 000000000000012c R9: ffffffff822ea320 + R10: ffff88085fe4db04 R11: 0000000000000001 R12: ffff881059f9c000 + R13: 0000000000000001 R14: 000000000000005f R15: 0000000000000fba + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #9 [ffff88085c6dbaa0] tty_put_char at ffffffff81497544 + #10 [ffff88085c6dbac0] do_output_char at ffffffff8149c91c + #11 [ffff88085c6dbae0] __process_echoes at ffffffff8149cb8b + #12 [ffff88085c6dbb30] commit_echoes at ffffffff8149cdc2 + #13 [ffff88085c6dbb60] n_tty_receive_buf_fast at ffffffff8149e49b + #14 [ffff88085c6dbbc0] __receive_buf at ffffffff8149ef5a + #15 [ffff88085c6dbc20] n_tty_receive_buf_common at ffffffff8149f016 + #16 [ffff88085c6dbca0] n_tty_receive_buf2 at ffffffff8149f194 + #17 [ffff88085c6dbcb0] flush_to_ldisc at ffffffff814a238a + #18 [ffff88085c6dbd50] process_one_work at ffffffff81090be2 + #19 [ffff88085c6dbe20] worker_thread at ffffffff81091b4d + #20 [ffff88085c6dbeb0] kthread at ffffffff81096384 + #21 [ffff88085c6dbf50] ret_from_fork at ffffffff81a3d69f​ + +after slogging through some dissasembly: + +ffffffff814b6720 : +ffffffff814b6720: 55 push %rbp +ffffffff814b6721: 48 89 e5 mov %rsp,%rbp +ffffffff814b6724: 48 83 ec 20 sub $0x20,%rsp +ffffffff814b6728: 48 89 1c 24 mov %rbx,(%rsp) +ffffffff814b672c: 4c 89 64 24 08 mov %r12,0x8(%rsp) +ffffffff814b6731: 4c 89 6c 24 10 mov %r13,0x10(%rsp) +ffffffff814b6736: 4c 89 74 24 18 mov %r14,0x18(%rsp) +ffffffff814b673b: e8 b0 8e 58 00 callq ffffffff81a3f5f0 +ffffffff814b6740: 4c 8b a7 88 02 00 00 mov 0x288(%rdi),%r12 +ffffffff814b6747: 45 31 ed xor %r13d,%r13d +ffffffff814b674a: 41 89 f6 mov %esi,%r14d +ffffffff814b674d: 49 83 bc 24 70 01 00 cmpq $0x0,0x170(%r12) +ffffffff814b6754: 00 00 +ffffffff814b6756: 49 8b 9c 24 80 01 00 mov 0x180(%r12),%rbx +ffffffff814b675d: 00 +ffffffff814b675e: 74 2f je ffffffff814b678f +ffffffff814b6760: 48 89 df mov %rbx,%rdi +ffffffff814b6763: e8 a8 67 58 00 callq ffffffff81a3cf10 <_raw_spin_lock_irqsave> +ffffffff814b6768: 41 8b 8c 24 78 01 00 mov 0x178(%r12),%ecx +ffffffff814b676f: 00 +ffffffff814b6770: 89 ca mov %ecx,%edx +ffffffff814b6772: f7 d2 not %edx +ffffffff814b6774: 41 03 94 24 7c 01 00 add 0x17c(%r12),%edx +ffffffff814b677b: 00 +ffffffff814b677c: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b6782: 75 23 jne ffffffff814b67a7 +ffffffff814b6784: 48 89 c6 mov %rax,%rsi +ffffffff814b6787: 48 89 df mov %rbx,%rdi +ffffffff814b678a: e8 e1 64 58 00 callq ffffffff81a3cc70 <_raw_spin_unlock_irqrestore> +ffffffff814b678f: 44 89 e8 mov %r13d,%eax +ffffffff814b6792: 48 8b 1c 24 mov (%rsp),%rbx +ffffffff814b6796: 4c 8b 64 24 08 mov 0x8(%rsp),%r12 +ffffffff814b679b: 4c 8b 6c 24 10 mov 0x10(%rsp),%r13 +ffffffff814b67a0: 4c 8b 74 24 18 mov 0x18(%rsp),%r14 +ffffffff814b67a5: c9 leaveq +ffffffff814b67a6: c3 retq +ffffffff814b67a7: 49 8b 94 24 70 01 00 mov 0x170(%r12),%rdx +ffffffff814b67ae: 00 +ffffffff814b67af: 48 63 c9 movslq %ecx,%rcx +ffffffff814b67b2: 41 b5 01 mov $0x1,%r13b +ffffffff814b67b5: 44 88 34 0a mov %r14b,(%rdx,%rcx,1) +ffffffff814b67b9: 41 8b 94 24 78 01 00 mov 0x178(%r12),%edx +ffffffff814b67c0: 00 +ffffffff814b67c1: 83 c2 01 add $0x1,%edx +ffffffff814b67c4: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b67ca: 41 89 94 24 78 01 00 mov %edx,0x178(%r12) +ffffffff814b67d1: 00 +ffffffff814b67d2: eb b0 jmp ffffffff814b6784 +ffffffff814b67d4: 66 66 66 2e 0f 1f 84 data32 data32 nopw %cs:0x0(%rax,%rax,1) +ffffffff814b67db: 00 00 00 00 00 + +for our build, this is crashing at: + + circ->buf[circ->head] = c; + +Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf) +protected by the "per-port mutex", which based on uart_port_check() is +state->port.mutex. Indeed, the lock acquired in uart_put_char() is +uport->lock, i.e. not the same lock. + +Anyway, since the lock is not acquired, if uart_shutdown() is called, the +last chunk of that function may release state->xmit.buf before its assigned +to null, and cause the race above. + +To fix it, let's lock uport->lock when allocating/deallocating +state->xmit.buf in addition to the per-port mutex. + +v2: switch to locking uport->lock on allocation/deallocation instead of + locking the per-port mutex in uart_put_char. Note that since + uport->lock is a spin lock, we have to switch the allocation to + GFP_ATOMIC. +v3: move the allocation outside the lock, so we can switch back to + GFP_KERNEL + +Signed-off-by: Tycho Andersen +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -182,6 +182,7 @@ static int uart_port_startup(struct tty_ + { + struct uart_port *uport = uart_port_check(state); + unsigned long page; ++ unsigned long flags = 0; + int retval = 0; + + if (uport->type == PORT_UNKNOWN) +@@ -196,15 +197,18 @@ static int uart_port_startup(struct tty_ + * Initialise and allocate the transmit and temporary + * buffer. + */ +- if (!state->xmit.buf) { +- /* This is protected by the per port mutex */ +- page = get_zeroed_page(GFP_KERNEL); +- if (!page) +- return -ENOMEM; ++ page = get_zeroed_page(GFP_KERNEL); ++ if (!page) ++ return -ENOMEM; + ++ uart_port_lock(state, flags); ++ if (!state->xmit.buf) { + state->xmit.buf = (unsigned char *) page; + uart_circ_clear(&state->xmit); ++ } else { ++ free_page(page); + } ++ uart_port_unlock(uport, flags); + + retval = uport->ops->startup(uport); + if (retval == 0) { +@@ -263,6 +267,7 @@ static void uart_shutdown(struct tty_str + { + struct uart_port *uport = uart_port_check(state); + struct tty_port *port = &state->port; ++ unsigned long flags = 0; + + /* + * Set the TTY IO error marker +@@ -295,10 +300,12 @@ static void uart_shutdown(struct tty_str + /* + * Free the transmit buffer page. + */ ++ uart_port_lock(state, flags); + if (state->xmit.buf) { + free_page((unsigned long)state->xmit.buf); + state->xmit.buf = NULL; + } ++ uart_port_unlock(uport, flags); + } + + /** diff --git a/queue-4.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch b/queue-4.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch new file mode 100644 index 00000000000..f002f019aeb --- /dev/null +++ b/queue-4.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch @@ -0,0 +1,39 @@ +From 016f8ffc48cb01d1e7701649c728c5d2e737d295 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 9 Aug 2018 15:37:59 -0400 +Subject: uprobes: Use synchronize_rcu() not synchronize_sched() + +From: Steven Rostedt (VMware) + +commit 016f8ffc48cb01d1e7701649c728c5d2e737d295 upstream. + +While debugging another bug, I was looking at all the synchronize*() +functions being used in kernel/trace, and noticed that trace_uprobes was +using synchronize_sched(), with a comment to synchronize with +{u,ret}_probe_trace_func(). When looking at those functions, the data is +protected with "rcu_read_lock()" and not with "rcu_read_lock_sched()". This +is using the wrong synchronize_*() function. + +Link: http://lkml.kernel.org/r/20180809160553.469e1e32@gandalf.local.home + +Cc: stable@vger.kernel.org +Fixes: 70ed91c6ec7f8 ("tracing/uprobes: Support ftrace_event_file base multibuffer") +Acked-by: Oleg Nesterov +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -952,7 +952,7 @@ probe_event_disable(struct trace_uprobe + + list_del_rcu(&link->list); + /* synchronize with u{,ret}probe_trace_func */ +- synchronize_sched(); ++ synchronize_rcu(); + kfree(link); + + if (!list_empty(&tu->tp.files)) diff --git a/queue-4.18/vmw_balloon-do-not-use-2mb-without-batching.patch b/queue-4.18/vmw_balloon-do-not-use-2mb-without-batching.patch new file mode 100644 index 00000000000..cacaa332b9a --- /dev/null +++ b/queue-4.18/vmw_balloon-do-not-use-2mb-without-batching.patch @@ -0,0 +1,44 @@ +From 5081efd112560d3febb328e627176235b250d59d Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:25 -0700 +Subject: vmw_balloon: do not use 2MB without batching + +From: Nadav Amit + +commit 5081efd112560d3febb328e627176235b250d59d upstream. + +If the hypervisor sets 2MB batching is on, while batching is cleared, +the balloon code breaks. In this case the legacy mechanism is used with +2MB page. The VM would report a 2MB page is ballooned, and the +hypervisor would only take the first 4KB. + +While the hypervisor should not report such settings, make the code more +robust by not enabling 2MB support without batching. + +Fixes: 365bd7ef7ec8e ("VMware balloon: Support 2m page ballooning.") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -341,7 +341,13 @@ static bool vmballoon_send_start(struct + success = false; + } + +- if (b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) ++ /* ++ * 2MB pages are only supported with batching. If batching is for some ++ * reason disabled, do not use 2MB pages, since otherwise the legacy ++ * mechanism is used with 2MB pages, causing a failure. ++ */ ++ if ((b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) && ++ (b->capabilities & VMW_BALLOON_BATCHED_CMDS)) + b->supported_page_sizes = 2; + else + b->supported_page_sizes = 1; diff --git a/queue-4.18/vmw_balloon-fix-inflation-of-64-bit-gfns.patch b/queue-4.18/vmw_balloon-fix-inflation-of-64-bit-gfns.patch new file mode 100644 index 00000000000..e5fd61b2ce3 --- /dev/null +++ b/queue-4.18/vmw_balloon-fix-inflation-of-64-bit-gfns.patch @@ -0,0 +1,70 @@ +From 09755690c6b7c1eabdc4651eb3b276f8feb1e447 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:24 -0700 +Subject: vmw_balloon: fix inflation of 64-bit GFNs + +From: Nadav Amit + +commit 09755690c6b7c1eabdc4651eb3b276f8feb1e447 upstream. + +When balloon batching is not supported by the hypervisor, the guest +frame number (GFN) must fit in 32-bit. However, due to a bug, this check +was mistakenly ignored. In practice, when total RAM is greater than +16TB, the balloon does not work currently, making this bug unlikely to +happen. + +Fixes: ef0f8f112984 ("VMware balloon: partially inline vmballoon_reserve_page.") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -450,7 +450,7 @@ static int vmballoon_send_lock_page(stru + + pfn32 = (u32)pfn; + if (pfn32 != pfn) +- return -1; ++ return -EINVAL; + + STATS_INC(b->stats.lock[false]); + +@@ -460,7 +460,7 @@ static int vmballoon_send_lock_page(stru + + pr_debug("%s - ppn %lx, hv returns %ld\n", __func__, pfn, status); + STATS_INC(b->stats.lock_fail[false]); +- return 1; ++ return -EIO; + } + + static int vmballoon_send_batched_lock(struct vmballoon *b, +@@ -597,11 +597,12 @@ static int vmballoon_lock_page(struct vm + + locked = vmballoon_send_lock_page(b, page_to_pfn(page), &hv_status, + target); +- if (locked > 0) { ++ if (locked) { + STATS_INC(b->stats.refused_alloc[false]); + +- if (hv_status == VMW_BALLOON_ERROR_RESET || +- hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED) { ++ if (locked == -EIO && ++ (hv_status == VMW_BALLOON_ERROR_RESET || ++ hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED)) { + vmballoon_free_page(page, false); + return -EIO; + } +@@ -617,7 +618,7 @@ static int vmballoon_lock_page(struct vm + } else { + vmballoon_free_page(page, false); + } +- return -EIO; ++ return locked; + } + + /* track allocated page */ diff --git a/queue-4.18/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch b/queue-4.18/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch new file mode 100644 index 00000000000..61f2e9b7114 --- /dev/null +++ b/queue-4.18/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch @@ -0,0 +1,53 @@ +From c3cc1b0fc27508da53fe955a3b23d03964410682 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:27 -0700 +Subject: vmw_balloon: fix VMCI use when balloon built into kernel + +From: Nadav Amit + +commit c3cc1b0fc27508da53fe955a3b23d03964410682 upstream. + +Currently, when all modules, including VMCI and VMware balloon are built +into the kernel, the initialization of the balloon happens before the +VMCI is probed. As a result, the balloon fails to initialize the VMCI +doorbell, which it uses to get asynchronous requests for balloon size +changes. + +The problem can be seen in the logs, in the form of the following +message: + "vmw_balloon: failed to initialize vmci doorbell" + +The driver would work correctly but slightly less efficiently, probing +for requests periodically. This patch changes the balloon to be +initialized using late_initcall() instead of module_init() to address +this issue. It does not address a situation in which VMCI is built as a +module and the balloon is built into the kernel. + +Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -1297,7 +1297,14 @@ static int __init vmballoon_init(void) + + return 0; + } +-module_init(vmballoon_init); ++ ++/* ++ * Using late_initcall() instead of module_init() allows the balloon to use the ++ * VMCI doorbell even when the balloon is built into the kernel. Otherwise the ++ * VMCI is probed only after the balloon is initialized. If the balloon is used ++ * as a module, late_initcall() is equivalent to module_init(). ++ */ ++late_initcall(vmballoon_init); + + static void __exit vmballoon_exit(void) + { diff --git a/queue-4.18/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch b/queue-4.18/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch new file mode 100644 index 00000000000..fb30d6049bb --- /dev/null +++ b/queue-4.18/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch @@ -0,0 +1,76 @@ +From ce664331b2487a5d244a51cbdd8cb54f866fbe5d Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:26 -0700 +Subject: vmw_balloon: VMCI_DOORBELL_SET does not check status + +From: Nadav Amit + +commit ce664331b2487a5d244a51cbdd8cb54f866fbe5d upstream. + +When vmballoon_vmci_init() sets a doorbell using VMCI_DOORBELL_SET, for +some reason it does not consider the status and looks at the result. +However, the hypervisor does not update the result - it updates the +status. This might cause VMCI doorbell not to be enabled, resulting in +degraded performance. + +Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -1036,29 +1036,30 @@ static void vmballoon_vmci_cleanup(struc + */ + static int vmballoon_vmci_init(struct vmballoon *b) + { +- int error = 0; ++ unsigned long error, dummy; + +- if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) != 0) { +- error = vmci_doorbell_create(&b->vmci_doorbell, +- VMCI_FLAG_DELAYED_CB, +- VMCI_PRIVILEGE_FLAG_RESTRICTED, +- vmballoon_doorbell, b); +- +- if (error == VMCI_SUCCESS) { +- VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, +- b->vmci_doorbell.context, +- b->vmci_doorbell.resource, error); +- STATS_INC(b->stats.doorbell_set); +- } +- } ++ if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) == 0) ++ return 0; + +- if (error != 0) { +- vmballoon_vmci_cleanup(b); ++ error = vmci_doorbell_create(&b->vmci_doorbell, VMCI_FLAG_DELAYED_CB, ++ VMCI_PRIVILEGE_FLAG_RESTRICTED, ++ vmballoon_doorbell, b); + +- return -EIO; +- } ++ if (error != VMCI_SUCCESS) ++ goto fail; ++ ++ error = VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, b->vmci_doorbell.context, ++ b->vmci_doorbell.resource, dummy); ++ ++ STATS_INC(b->stats.doorbell_set); ++ ++ if (error != VMW_BALLOON_SUCCESS) ++ goto fail; + + return 0; ++fail: ++ vmballoon_vmci_cleanup(b); ++ return -EIO; + } + + /*